A business that just wants to keep guests and visitors off the corporate network but grant them Internet access can get by with a NAC appliance, he says, but appliances don't scale well for deployment in large organizations, Whiteley says.
Before this hardware announcement, McAfee's NAC options were limited to its Policy Enforcer Agent running on endpoints managed by McAfee's overriding ePolicy Orchestrator (ePO), which also manages McAfee antivirus, antispam and host IPS. If the agent finds a problem, it restricts network connectivity without relying on network infrastructure for enforcement.
McAfee's NAC software can also work in conjunction with other vendors' NAC gear, including Juniper and Check Point, using their products as enforcement points. This gives McAfee parity with other vendors that came at NAC from the hardware side, says Whiteley. McAfee NAC is also compatible with Microsoft's version of the technology called network access protection, or NAP, so NAP's policy decision and enforcement mechanisms could be used with McAfee's agent, for example.
The addition of network-based enforcement gives McAfee more options but not necessarily more options than its competitors, Whiteley says. He notes that Juniper can enforce NAC policies at its IPS or firewalls or other switches. But Juniper's endpoint NAC client software doesn't do as much as McAfee's. "It's not a full protection agent like McAfee's, where you're going to get more comprehensive risk coverage at the endpoint," Whiteley says.
Because McAfee's NAC is blended in with its ePO, managing NAC falls under an existing management platform, reducing the training needed to keep track of it, says Intelsat's Duggal, and that is important. If he judges that security products by different vendors afford the same degree of protection, he next checks which is simpler to manage in order to decide between them.
Support for NAC on McAfee's IPS is available now.